-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: adding cert template for sub ca creation #55
feat: adding cert template for sub ca creation #55
Conversation
Thanks for submitting this pull request! Pull request reviews and check-ins are on-hold while we update testing. We will review pull requests in the order we received them once the update is complete. Please check back to view the status of the update and your pull request. |
Is there any estimated timeline on when the testing update will be completed? |
@MattLok The testing modifications are going through their final security review, after which we will review and accept new PRs. Thank you for your patience. |
Thanks for taking the time to cut this PR! Apologies for the delay on a review, just wanted to make sure I understood the implications of this PR before approving for merge. My largest concern here is that this is a one way door in terms of the use of the
Thoughts? |
This did come to mind when putting this pull request in. However, there are presently no configuration interfaces for this plugin ("isCA" is part of the cert-manager object that is passed to plugin). This means we will have to introduce something new to the plugins design that is a bit outside of intended scope. (which I am fine with!). I think option 2 sounds good. Ill try to find time to add the api interface and update this |
Can we add a new spec input without having to go to cert-manager to update interface there? for example adding path length as an input...
Let me try it out and see if it works for us |
I don't think you can update the Certificate Kind without cutting a PR to Cert-Manager. The creation of the Certificate will kick off the Cert-Manager controller which will try to generate a CSR but will probably run into issues when it sees "subCAPathLen" and doesn't understand what that is. |
Ok, any suggestions on how we should introduce variable inputs for this issuer? |
4e61d07
to
a563016
Compare
I just reread your initial suggestion. By adding a flag you are referring to a flag for the process (https://github.com/cert-manager/aws-privateca-issuer/blob/master/main.go#L54) where we can define the pathLength. Let me take a look into this. |
When I meant adding a flag, I meant introducing a new attribute into the AWSPCAIssuer/ClusterIssuer kind. Sort of like how it was done in this PR: https://github.com/cert-manager/aws-privateca-issuer/pull/42/files. |
So - just to be clear the concern here is that the current code (ultimately a VERY simple change) is not flexible enough to allow creating a SubCA that can then create more SubCAs under it, right? This is something that AWS barely supports on their own right now, and in fact prohibits you from doing across accounts through the Resource Access Manager service anyways. Can we get this merged as-is for now? If you really want it to be configurable, make it a flag that is set on the aws-privateca pod at runtime.. sort of a cluster-level setting? @anbaig Do you have a built-docker-image of this patch that we can test out? |
@anbaig So I was able to build the customized build with diranged@09c2060 and prove that this works, and works well. I strongly suggest finishing the PR (removing the check) and getting this out.. it's great. |
Signed-off-by: Zane Williamson <zwilliamson@flexport.com>
c1a66ee
to
1141ac9
Compare
1141ac9
to
1bdb51d
Compare
@diranged thanks for bringing up the issue about the sub CA template that came out of the discussion not being supported by cross account. I went ahead and made the default the Path Len zero template that is not the blank or APICSR passthrough variant. I also went ahead and added relevant unit tests and integ test to the branch @sepulworld! |
Thank you! |
1bdb51d
to
6b26436
Compare
6b26436
to
8b81313
Compare
8b81313
to
9d36104
Compare
Signed-off-by: Akbar Baig <baiakbar@amazon.com>
9d36104
to
19f94ab
Compare
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: divyansh-gupta, sepulworld The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Zane Williamson zwilliamson@flexport.com